logo text

Monday, 15 May 2017

What can we learn from the recent global ransomware attack?



On Friday 12 May, cybercriminals released the WannaCry virus, with devastating consequences around the world. The virus took control of users’ files and demanded $300 (£230) payments to restore access. Within the first few hours, the UK, France, Spain, Russia and the US had all been affected, with others, including Australia, Sweden and Norway, reporting incidents since that time.

The most recent estimate is that 200,000 machines have been affected in 150 countries. In the UK, the weekend headline centred around 61 NHS organisations that have been disrupted, causing some hospitals to cancel treatments and appointments, and divert ambulances to other sites. Pathology services are said to be the most seriously affected, alongside imaging services, such as MRI and CT scans, and X-rays, which transmit images via computers.

It is reported that:

  • The NHS was relying on the Windows XP operating system, which Microsoft stopped supporting in April 2014.
  • Microsoft was paid £5.5 million to support Windows XP for a further year, but the government decided not to renew that contract after May 2015.

Queries are now being raised about whether the government – in particular, Secretary of State for Health, Jeremy Hunt – made a funding decision that has now exposed NHS systems.

Back in December 2016, the Information Commissioner’s Office (“ICO”) stated, “If the personal data which you are responsible for has been encrypted as a result of a ransomware attack and you are unable to restore that data then the ICO could be of the view that you have not taken appropriate measures to keep it secure and have therefore breached the Data Protection Act.” Now might be a good time to review the ICO’s guidance about how to prevent and recover from a ransomware attack, which provides some top tips for organisations.

The WannaCry ransomware attack serves to remind organisations generally of the importance of reviewing their systems and processes to ensure that they understand the risks of delaying various kinds of software updates while testing is carried out. Of course, it’s a tricky balance because organisations need to test the updates themselves before releasing them within often complex internal systems that contain many potentially conflicting software programs.

Given how many updates are likely to be popping up all the time, many businesses are simply not clear whether an update should be installed at all. We would recommend that software providers are clearer about when an update is truly necessary so that customers can understand the risk they take by not installing an update. Of course, this assumes that the providers are fully aware of the potential risks in the first place: is it possible for them to be clear in a world filled with so many diverse groups with criminal intent?

If your organisation has been affected by the WannaCry virus or by a ransomware attack generally, there is a strong chance that there may have been a breach of the Data Protection Act 1998. You should consider this and record any outcomes of your investigation on your organisation’s data protection breach register. You will also have to consider whether the breach is reportable to the ICO. Please contact Pritchetts if we can provide you with guidance and support with the investigation and handling of your data security breach.

If you have any questions more generally about the effect of ransomware attacks on the personal data that your organisation holds, or how to assess your information security or information governance systems and processes, please don’t hesitate to contact Pritchetts for advice and support.

No comments:

Post a Comment